Zyxel USG1900 operation manual

www.zyxel.com

Default Login Details

LAN Port IP Address

https://192.168.1.1

User Name

admin

Password

1234

ZyWALL/USG Series

ZyWALL 110 / 310 / 1100

USG40 / USG40W / USG60 / USG60W / USG110 /
USG210 / USG310 / USG1100 / USG1900

Security Firewalls

Firmware Version 4.13 ~ 4.15
Edition 1, 7/2016

Handbook

Copyright © 2016 ZyXEL Communications Corporation

1/255

www.zyxel.com

Table of Content

How to Configure Site-to-site IPSec VPN with Amazon VPC .................... 8

Set Up the IPSec VPN Tunnel on the Amazon VPC .............................. 9

Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............................. 13

Test the IPSec VPN Tunnel ....................................................................... 17

What Could Go Wrong? ........................................................................ 18

How to Configure GRE over IPSec VPN Tunnel ......................................... 20

Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate

Network (HQ) ........................................................................................... 21

Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate

Network (Branch) .................................................................................... 25

Test the GRE over IPSec VPN Tunnel ...................................................... 30

What Could Go Wrong? ........................................................................ 30

How to Configure IPSec Site to Site VPN while one Site is behind a NAT

router ............................................................................................................ 32

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(HQ) ........................................................................................................... 33

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(Branch) .................................................................................................... 36

Set Up the NAT Router (Using ZyWALL USG device in this example) 40

Test the IPSec VPN Tunnel ....................................................................... 42

What Could Go Wrong? ........................................................................ 43

How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a

NAT router .................................................................................................... 45

Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ ........................ 46

Set Up the NAT Router (Using ZyWALL USG device in this example) 50

Test the L2TP over IPSec VPN Tunnel ...................................................... 52

What Could Go Wrong? ........................................................................ 55

How to configure if I want user can only see SSL VPN Login button in web

portal login page ........................................................................................ 57

Set Up the DNS Service ............................................................................ 58

Set Up the ZyWALL/USG SSL VPN Setting ............................................ 58

Set Up the ZyWALL/USG System Setting ................................................ 59

2/255

www.zyxel.com

Test the SSL VPN ....................................................................................... 60

How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1)

on the Windows 10 Operating System ...................................................... 64

Set up the SSL VPN Tunnel with Windows 10 ....................................... 64

What Can Go Wrong? ........................................................................... 68

How to redirect multiple LAN interface traffic to the VPN tunnel ........... 70

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(HQ) ........................................................................................................... 71

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(Branch) .................................................................................................... 74

Set up the Policy Route (ZyWALL/USG_HQ) ........................................ 77

Set up the Policy Route (ZyWALL/USG_Branch) ................................. 79

Test the IPSec VPN Tunnel ....................................................................... 80

What Could Go Wrong? ........................................................................ 82

How to Configure IPSec VPN Failover ....................................................... 84

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(HQ) ........................................................................................................... 85

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network

(Branch) .................................................................................................... 88

Set up the WAN Trunk (ZyWALL/USG_HQ) ........................................... 92

Set up the Failover Command Line (ZyWALL/USG HQ) .................... 93

Test the IPSec VPN Tunnel ....................................................................... 95

What Could Go Wrong? ........................................................................ 96

How to Create VTI and Configure VPN Failover with VTI ........................ 98

VTI Deployment Flow .............................................................................. 98

Set Up the ZyWALL/USG VTI of Corporate Network (HQ) ................. 99

Set Up the ZyWALL/USG VTI of Corporate Network (Branch) ........ 104

Test the IPSec VPN Tunnel .................................................................... 111

What Can Go Wrong? ......................................................................... 113

How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android

mobile phone ............................................................................................ 115

Set Up the L2TP VPN Tunnel on the ZyWALL/USG .............................. 116

Export a Certificate from ZyWALL/USG and Import it to Android

3/255

www.zyxel.com

Mobile Phone ......................................................................................... 120

Set Up the L2TP VPN Tunnel on the Android Mobile Device ........... 121

Test the L2TP over IPSec VPN Tunnel .................................................. 124

What Could Go Wrong? ...................................................................... 126

How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile

phone ......................................................................................................... 128

Set Up the L2TP VPN Tunnel on the ZyWALL/USG .............................. 129

Export a Certificate from ZyWALL/USG and Import it to iOS Mobile

Phone ...................................................................................................... 133

Set Up the L2TP VPN Tunnel on the iOS Mobile Device .................... 134

Test the L2TP over IPSec VPN Tunnel .................................................. 137

What Could Go Wrong? ...................................................................... 138

How to configure the USG when using a Cloud Based SIP system ...... 140

Set Up the SIP ALG ................................................................................. 141

Test result ................................................................................................ 142

What could go wrong? ........................................................................ 142

How to block HTTPS websites by Domain Filter without applying SSL

Inspection .................................................................................................. 143

Set Up the Content Filter on the ZyWALL/USG .................................. 144

Set Up the Security Policy on the ZyWALL/USG ................................ 146

Set Up the System Policy on the ZyWALL/USG .................................. 146

Test the Result ........................................................................................ 147

How to configure Content Filter 2.0 - Geo IP Blocking .......................... 149

Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 150

Set Up the Security Policy on the ZyWALL/USG ................................ 151

Test the Result ........................................................................................ 152

What could go wrong .......................................................................... 153

How to block the client accessing to certain country using Geo IP and

Content Filter ............................................................................................. 154

Check Geo IP License Status on the ZyWALL/USG ........................... 155

Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 155

Set Up the Security Policy on the ZyWALL/USG ................................ 156

Test the Result ........................................................................................ 158

4/255

www.zyxel.com

How to set up Link Aggregation Group (LAG) ....................................... 160

Set up the Active-backup, 802.3ad, Balance-alb ........................... 160

Set up the active-backup mode. ...................................................... 164

Test the Result ........................................................................................ 166

What can go wrong ............................................................................. 166

How to Restrict Web Portal access from the Internet ............................ 167

Set Up the ZyWALL/USG System Setting .............................................. 168

Test the Web Access ............................................................................. 169

How to Setup and Configure Daily Report ............................................. 171

Set Up the ZyWALL/USG Email Daily Report Setting ........................... 172

Test the Daily Log Report ...................................................................... 173

What Could Go Wrong? ...................................................................... 174

How to Setup and Configure Email Logs ................................................ 175

Set Up the ZyWALL/USG Email Logs Setting ........................................ 176

Test the Email Log .................................................................................. 178

What Could Go Wrong? ...................................................................... 178

How to setup and send logs to a Syslog Server ..................................... 179

Set Up the Syslog Server (Use Papertrail syslog in this example) ....... 180

Set Up the ZyWALL/USG Remote Server Setting ................................. 182

Test the Remote Server ......................................................................... 183

What Could Go Wrong? ...................................................................... 184

How to setup and send logs to a Vantage Reports Server ................... 185

Set Up the VRPT Server .......................................................................... 186

Set Up the ZyWALL/USG Remote Server Setting ................................. 189

Test the Remote Server ......................................................................... 189

What Could Go Wrong? ...................................................................... 190

How to enable and send logs to the USB storage ................................. 191

Set Up the USB System Settings ............................................................. 192

Set Up the USB Log Storage .................................................................. 192

Check the USG Log Files ...................................................................... 193

How to create a Wi-Fi VLAN interfaces to separate staff network and

Guest network ........................................................................................... 194

5/255

www.zyxel.com

Set up Wi-Fi VLAN interfaces ............................................................... 195

Test result. ............................................................................................... 202

What could go wrong .......................................................................... 203

How to Activate a Free Access Hotspot ................................................. 205

Set up the Free Access Hotspot .......................................................... 206

Test the User Agreement and Advertisement Webpage ............... 208

What could Go Wrong? ....................................................................... 209

Set up Enable the Free Time Feature ................................................. 210

Test Free Time Feature .......................................................................... 215

What Can Go Wrong? ......................................................................... 218

How to Enable Device HA Pro ................................................................. 220

Device HA Pro License ......................................................................... 221

Behavior of the Device HA Pro ........................................................... 222

Suggestions ............................................................................................ 224

How do I Configure Device HA Pro in My Current Environment? . 224

What can go wrong ............................................................................. 229

How to Set Up IPv6 Interfaces For Pure IPv6 Routing ............................. 231

Setting Up the IPv6 Interface ............................................................... 232

Set up the Prefix Delegation and Router Advertisement ............... 234

Test ........................................................................................................... 238

What Can Go Wrong? ......................................................................... 238

Test ........................................................................................................... 240

How to Perform and Use the Packet Capture Feature on the ZyWALL/USG

.................................................................................................................... 241

Set Up the Packet Capture Feature .................................................... 242

Check the Capture Files ...................................................................... 244

How to Automatically Reboot the ZyWALL/USG by Schedule ............. 246

Set Up the Shell Script ............................................................................ 247

Set Up the Schedule Run ...................................................................... 248

Check the Reboot Status ..................................................................... 249

How to continuously run a ZySH script .................................................... 251

Set Up the Shell Script ............................................................................ 252

6/255

www.zyxel.com

Set Up the Schedule Run ...................................................................... 253

Check the Result ................................................................................... 254

7/255

www.zyxel.com

Note:

All network IP addresses and subnet masks are used as examples in this article.

Please replace them with your actual network IP addresses and subnet masks.

This example was tested using USG110 (Firmware Version: ZLD 4.15) and Amazon

VPC (June, 2016).

How to Configure Site-to-site IPSec VPN with Amazon VPC

This example shows how to use the VPN Setup Wizard to create a site-to-site VPN

between a ZyWALL/USG and an Amazon VPC platform. The example instructs

how to configure the VPN tunnel between each site. When the VPN tunnel is

configured, each site can be accessed securely.

Figure 1 ZyWALL/USG Site-to-site IPSec VPN with Amazon VPC

8/255

www.zyxel.com

Set Up the IPSec VPN Tunnel on the Amazon VPC

1 Sign into the Amazon AWS Management Console. Go to Networking > VPC.

Figure 2 Amazon AWS Management Console > Networking > VPC

2 In the upper left-hand of the screen, click Start VPC Wizard.

Figure 3 Amazon VPC Management Console > Networking > VPC > Start VPC

Wizard

3 Select a VPC Configuration, select VPC with a Private Subnet Only and Hardware

VPN Access, and then click Select.

9/255

www.zyxel.com

Figure 4 Select a VPC Configuration > VPC with a Private Subnet Only and Hardware

VPN Access

4 VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and

Private subnet. Click Next.

Figure 5 VPC with a Private Subnet Only and Hardware VPN

10/255

www.zyxel.com

5 Configure your VPN, add your ZyWALL/USG public IP address into Customer

Gateway IP. Name your Customer Gateway name and VPN Connection name.

Click Create VPC at the bottom of the blade.

Figure 6Configure your VPN

6 In the VPC Dashboard, go to VPN Connections. Select Download Configuration from

the upper bar. Select Vendor and Platform to be Generic. Click Yes, Download.

11/255

www.zyxel.com

Figure 7 VPC Dashboard > VPN Connections

7 Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and

Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s

setting.

Figure 8 Configuration txt. File

12/255

www.zyxel.com

Set Up the IPSec VPN Tunnel on the ZyWALL/USG

In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard,

use the VPN Settings wizard to create a VPN rule that can be used with the

Amazon VPC. Click Next.

Figure 9 Quick Setup > VPN Setup Wizard > Welcome

Choose Advanced to create a VPN rule with the customize phase 1, phase 2

settings and authentication method. Click Next.

Figure 10 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type

Type the Rule Name used to identify this VPN connection (and VPN gateway).

You may use 1-31 alphanumeric characters. This value is case-sensitive. Select

the rule to be Site-to-site. Click Next.

13/255

www.zyxel.com

Figure 11 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP

address (in the example, 52.39.135.203); select My Address to be the interface

connected to the Internet.

Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time

which Amazon VPC supports. Type a secure Pre-Shared Key.

Figure 12 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings

(Phase 1 Setting)

14/255

www.zyxel.com

Continue to Phase 2 Settings to select the Encapsulation, Encryption,

Authentication, and SA Life Time settings which Amazon VPC supports.

Set Local Policy to be the IP address range of the network connected to the

ZyWALL/USG and Remote Policy to be the IP address range of the network connected

to the Amazon VPC. Click OK.

Figure 13 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN

Settings (Phase 2 Setting)

This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 14 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN

Settings (Summary)

15/255

www.zyxel.com

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear

in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings

appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the

wizard.

Figure 15 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN

Settings > Wizard Completed

16/255

www.zyxel.com

Test the IPSec VPN Tunnel

Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click

Connect on the upper bar. The Status connect icon is lit when the interface is

connected.

Figure 16 CONFIGURATION > VPN > IPSec VPN > VPN Connection

Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up

Time and the Inbound(Bytes)/Outbound(Bytes) traffic.

17/255

www.zyxel.com

Figure 17 MONITOR > VPN Monitor > IPSec

To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private

Subnet for verification. Ensure that both computers have Internet access.

Figure 18 Ping from Local LAN to AWS VPC private Subnet for verification:

What Could Go Wrong?

If you see below [info] or [error] log message, please check ZyWALL/USG Phase

1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the

Amazon VPC IKE Phase 1 setup list.

Figure 19 MONITOR > Log

18/255

www.zyxel.com

If you see that Phase 1 IKE SA process done but still get below [info] log message,

please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase

2 Settings are supported in the Amazon VPC IKE Phase 2 setup list.

Figure 20 MONITOR > Log

19/255

www.zyxel.com

Note:

All network IP addresses and subnet masks are used as examples in this article.

Please replace them with your actual network IP addresses and subnet masks. This

example was tested using USG110 (Firmware Version: ZLD 4.15) and ZyWALL 310

(Firmware Version: ZLD 4.15).

How to Configure GRE over IPSec VPN Tunnel

This example shows how to use the VPN Setup Wizard to create a GRE over

IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to

configure the VPN tunnel between each site. When the GRE over IPSec VPN

tunnel is configured, each site can be accessed securely.

Figure 21 ZyWALL/USG GRE over IPSec VPN

20/255

www.zyxel.com

Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of
Corporate Network (HQ)

In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard,

use the VPN Settings wizard to create a VPN rule that can be used with the

FortiGate. Click Next.

Figure 22 Quick Setup > VPN Setup Wizard > Welcome

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings

and use a pre-shared key to be the authentication method. Click Next.

Figure 23 Quick Setup > VPN Setup Wizard > Wizard Type

21/255

www.zyxel.com

Type the Rule Name used to identify this VPN connection (and VPN gateway). You

may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to

be Site-to-site. Click Next.

Figure 24 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

Configure Secure Gateway IP as the Branch’s WAN IP address (in the example,

111.250.184.80). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the

ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network

connected to the ZyWALL/USG (Branch).

Figure 25 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings

(Configuration)

22/255

www.zyxel.com

This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 26 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings

(Summary)

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear

in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings

appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the

wizard.

Figure 27 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN

Settings > Wizard Completed

23/255

www.zyxel.com

Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced

Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG

does not require to check the identity content of the remote IPSec router.

Figure 28 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced

Settings > Authentication > Peer ID Type

Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced

Settings > Policy. Select Enable GRE over IPSec.

Figure 29 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show

Advanced Settings > Policy

The GRE tunnel runs between the IPsec public interface on the HQ unit and the

Branch unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter

the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address

and Subnet Mask for this interface. Specify My Address to be the interface or IP

address to use as the source address for the packets this interface tunnels to the

remote gateway. Enter Remote Gateway Address to be the IP address or

domain name of the remote gateway to this tunnel traffic.

24/255

www.zyxel.com

Figure 30 CONFIGURATION > Network > Interface > Tunnel > Add

Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of
Corporate Network (Branch)

In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard,

use the VPN Settings wizard to create a VPN rule that can be used with the

FortiGate. Click Next.

Figure 31 Quick Setup > VPN Setup Wizard > Welcome

25/255

www.zyxel.com

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings

and use a pre-shared key to be the authentication method. Click Next.

Figure 32 Quick Setup > VPN Setup Wizard > Wizard Type

Type the Rule Name used to identify this VPN connection (and VPN gateway). You

may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to

be Site-to-site. Click Next.

Figure 33 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

Configure Secure Gateway IP as the HQ’s WAN IP address (in the example,

61.228.245.247). Then, type a secure Pre-Shared Key (8-32 characters).

26/255

www.zyxel.com

Set Local Policy to be the IP address range of the network connected to the

ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the

network connected to the ZyWALL/USG (HQ).

Figure 34 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings

(Configuration)

This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 35 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings

(Summary)

Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear

in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings

27/255

www.zyxel.com

appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the

wizard.

Figure 36 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN

Settings > Wizard Completed

Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced

Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG

does not require to check the identity content of the remote IPSec router.

Figure 37 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced

Settings > Authentication > Peer ID Type

Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced

Settings > Policy. Select Enable GRE over IPSec.

28/255

www.zyxel.com

Figure 38 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show

Advanced Settings > Policy

The GRE tunnel runs between the IPsec public interface on the Branch unit and

the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter

the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address

and Subnet Mask for this interface. Specify My Address to be the interface or IP

address to use as the source address for the packets this interface tunnels to the

remote gateway. Enter Remote Gateway Address to be the IP address or

domain name of the remote gateway to this tunnel traffic.

Figure 39 CONFIGURATION > Network > Interface > Tunnel > Add

29/255

www.zyxel.com

Test the GRE over IPSec VPN Tunnel

Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click

Connect on the upper bar. The Status connect icon is lit when the interface is

connected.

Figure 40 CONFIGURATION > VPN > IPSec VPN > VPN Connection

Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up

Time and Inbound (Bytes)/Outbound (Bytes) Traffic.

Figure 41 MONITOR > VPN Monitor > IPSec

What Could Go Wrong?

If you see below [info] or [error] log message, please check ZyWALL/USG Phase

1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the

Amazon VPC IKE Phase 1 setup list.

Figure 42 MONITOR > Log

30/255